Since September 2022, a trojanized installer for the TOR anonymous browser has been used in clipper malware designed to siphon cryptocurrencies, targeting users in Russia and Eastern Europe.
“Clipboard Injector […] Vitaly Kamluk, Director of Kaspersky’s Global Research and Analysis Team for Asia Pacific (GReAT), said:
Another notable aspect of clipper malware is that the malicious functionality is not triggered unless the clipboard data meets certain criteria.
It’s not immediately clear how the installer is distributed, but with the Tor project’s website shut down in Russia in recent years, there is evidence that torrent downloads or unknown third-party sources are being used. there is.
Regardless of the method used, the installer simultaneously launches the legitimate executable and also launches a clipper payload designed to monitor the clipboard contents.
“If the clipboard contains text, we use a series of embedded regular expressions to scan the content,” Kamluk said. “If a match is found, it is replaced with a randomly chosen address from a hard-coded list.”
Each sample contains thousands of randomly selected alternate addresses. It also has the ability to disable malware using a special hotkey combination (Ctrl+Alt+F10). This option may be added during testing.
According to a Russian cybersecurity firm, it has recorded about 16,000 detections, most of which are registered in Russia and Ukraine, followed by the United States, Germany, Uzbekistan, Belarus, China, the Netherlands, the United Kingdom, and France. I’m here. Overall, this threat has been found in 52 countries around the world.
Discover the hidden dangers of third-party SaaS apps
Are you aware of the risks associated with third-party app access to your company’s SaaS apps? Join our webinar to learn about the types of permissions granted and how to minimize the risks.
reserve a seat
The scheme is estimated to have brought the operators around $400,00 in illicit profits through the theft of Bitcoin, Litecoin, Ether, and Dogecoin. The amount of Monero assets looted is unknown due to privacy features built into the service.
We believe this could increase the scope of the campaign as attackers may be targeting unwary users through other software installers and previously unseen delivery methods. .
To protect against such threats, it is always recommended to download software only from trustworthy and trustworthy sources.
